Do I need to validate JWT tokens in asp.net core 2 REST API?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
1
I have the following code in my asp.net core REST API configuration:
services
.AddAuthentication(options => { options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme; })
.AddJwtBearer(options =>
{
options.Authority = "https://login.microsoftonline.com/XXXTenantIDXXX";
options.Audience = "XXXX clientId XXXX";
});
services.AddMvc(o =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
o.Filters.Add(new AuthorizeFilter(policy));
It authenticates requests. It is working fine.
I am concerned and worried about jwt token forgery or jwt tokens that come from other AAD applications in the tenant.
I expect above code provides all the information to the asp.net core authentication to verify the jwt is valid and its audience is the right AAD application.
I wanted to confirm my expectation here and ask if I need to have additional logic (code) to verify the JWT token?
asp.net-mvc asp.net-core-2.0 asp.net-core-webapi .net-security
asked Nov 16 '18 at 23:27
Allan XuAllan Xu
1,86712040
add a comment |
1
I have the following code in my asp.net core REST API configuration:
services
.AddAuthentication(options => { options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme; })
.AddJwtBearer(options =>
{
options.Authority = "https://login.microsoftonline.com/XXXTenantIDXXX";
options.Audience = "XXXX clientId XXXX";
});
services.AddMvc(o =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
o.Filters.Add(new AuthorizeFilter(policy));
It authenticates requests. It is working fine.
I am concerned and worried about jwt token forgery or jwt tokens that come from other AAD applications in the tenant.
I expect above code provides all the information to the asp.net core authentication to verify the jwt is valid and its audience is the right AAD application.
I wanted to confirm my expectation here and ask if I need to have additional logic (code) to verify the JWT token?
asp.net-mvc asp.net-core-2.0 asp.net-core-webapi .net-security
asked Nov 16 '18 at 23:27
Allan XuAllan Xu
1,86712040
There are always checks to make, one of the must to-dos is to check if the user exists, even if the JWT is valid, that user may be deleted or banned or whatever. About your question on checking the token, well, what could you do if your secret is stolen? there is no way to know if a VALID jwt was forged or not, at the end of the end, it is valid ...
– Melardev
Nov 23 '18 at 19:15
@Melardev. The most importnat matter is the make sure if the JWT signature is valid. Do you know if ASP.NET middleware does that that?
– Allan Xu
Nov 23 '18 at 20:21
as said below, yes, absolutely, it validates the token, and the middleware can also parse some claims available through the jwt payload, such as the roles, read this for the roles related feature jerriepelser.com/blog/using-roles-with-the-jwt-middleware
– Melardev
Nov 23 '18 at 20:49
add a comment |
1
1
1
2
I have the following code in my asp.net core REST API configuration:
services
.AddAuthentication(options => { options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme; })
.AddJwtBearer(options =>
{
options.Authority = "https://login.microsoftonline.com/XXXTenantIDXXX";
options.Audience = "XXXX clientId XXXX";
});
services.AddMvc(o =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
o.Filters.Add(new AuthorizeFilter(policy));
It authenticates requests. It is working fine.
I am concerned and worried about jwt token forgery or jwt tokens that come from other AAD applications in the tenant.
I expect above code provides all the information to the asp.net core authentication to verify the jwt is valid and its audience is the right AAD application.
I wanted to confirm my expectation here and ask if I need to have additional logic (code) to verify the JWT token?
asp.net-mvc asp.net-core-2.0 asp.net-core-webapi .net-security
asked Nov 16 '18 at 23:27
Allan XuAllan Xu
1,86712040
I have the following code in my asp.net core REST API configuration:
services
.AddAuthentication(options => { options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme; })
.AddJwtBearer(options =>
{
options.Authority = "https://login.microsoftonline.com/XXXTenantIDXXX";
options.Audience = "XXXX clientId XXXX";
});
services.AddMvc(o =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
o.Filters.Add(new AuthorizeFilter(policy));
It authenticates requests. It is working fine.
I am concerned and worried about jwt token forgery or jwt tokens that come from other AAD applications in the tenant.
I expect above code provides all the information to the asp.net core authentication to verify the jwt is valid and its audience is the right AAD application.
I wanted to confirm my expectation here and ask if I need to have additional logic (code) to verify the JWT token?
asp.net-mvc asp.net-core-2.0 asp.net-core-webapi .net-security
asp.net-mvc asp.net-core-2.0 asp.net-core-webapi .net-security
asked Nov 16 '18 at 23:27
Allan XuAllan Xu
1,86712040
asked Nov 16 '18 at 23:27
Allan XuAllan Xu
1,86712040
edited Nov 23 '18 at 19:12
Allan Xu
asked Nov 16 '18 at 23:27
Allan XuAllan Xu
1,86712040
asked Nov 16 '18 at 23:27
Allan XuAllan Xu
1,86712040
asked Nov 16 '18 at 23:27
Allan XuAllan Xu
1,86712040
1,86712040
There are always checks to make, one of the must to-dos is to check if the user exists, even if the JWT is valid, that user may be deleted or banned or whatever. About your question on checking the token, well, what could you do if your secret is stolen? there is no way to know if a VALID jwt was forged or not, at the end of the end, it is valid ...
– Melardev
Nov 23 '18 at 19:15
@Melardev. The most importnat matter is the make sure if the JWT signature is valid. Do you know if ASP.NET middleware does that that?
– Allan Xu
Nov 23 '18 at 20:21
as said below, yes, absolutely, it validates the token, and the middleware can also parse some claims available through the jwt payload, such as the roles, read this for the roles related feature jerriepelser.com/blog/using-roles-with-the-jwt-middleware
– Melardev
Nov 23 '18 at 20:49
add a comment |
There are always checks to make, one of the must to-dos is to check if the user exists, even if the JWT is valid, that user may be deleted or banned or whatever. About your question on checking the token, well, what could you do if your secret is stolen? there is no way to know if a VALID jwt was forged or not, at the end of the end, it is valid ...
– Melardev
Nov 23 '18 at 19:15
@Melardev. The most importnat matter is the make sure if the JWT signature is valid. Do you know if ASP.NET middleware does that that?
– Allan Xu
Nov 23 '18 at 20:21
as said below, yes, absolutely, it validates the token, and the middleware can also parse some claims available through the jwt payload, such as the roles, read this for the roles related feature jerriepelser.com/blog/using-roles-with-the-jwt-middleware
– Melardev
Nov 23 '18 at 20:49
There are always checks to make, one of the must to-dos is to check if the user exists, even if the JWT is valid, that user may be deleted or banned or whatever. About your question on checking the token, well, what could you do if your secret is stolen? there is no way to know if a VALID jwt was forged or not, at the end of the end, it is valid ...
– Melardev
Nov 23 '18 at 19:15
There are always checks to make, one of the must to-dos is to check if the user exists, even if the JWT is valid, that user may be deleted or banned or whatever. About your question on checking the token, well, what could you do if your secret is stolen? there is no way to know if a VALID jwt was forged or not, at the end of the end, it is valid ...
– Melardev
Nov 23 '18 at 19:15
@Melardev. The most importnat matter is the make sure if the JWT signature is valid. Do you know if ASP.NET middleware does that that?
– Allan Xu
Nov 23 '18 at 20:21
@Melardev. The most importnat matter is the make sure if the JWT signature is valid. Do you know if ASP.NET middleware does that that?
– Allan Xu
Nov 23 '18 at 20:21
as said below, yes, absolutely, it validates the token, and the middleware can also parse some claims available through the jwt payload, such as the roles, read this for the roles related feature jerriepelser.com/blog/using-roles-with-the-jwt-middleware
– Melardev
Nov 23 '18 at 20:49
as said below, yes, absolutely, it validates the token, and the middleware can also parse some claims available through the jwt payload, such as the roles, read this for the roles related feature jerriepelser.com/blog/using-roles-with-the-jwt-middleware
– Melardev
Nov 23 '18 at 20:49
add a comment |
1 Answer
1
active
oldest
votes
1
Yes, Asp.Net Core Middleware validates JWT Token. Make sure you are configuring JWT Bearer Options and token validation parameters in order for Asp.Net Core Middleware to validate it.
For example:
services.AddAuthentication(auth =>
{
auth.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
auth.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(options =>
{
options.ClaimsIssuer = jwtAuthSettings.ValidIssuer;//Your issuer
options.IncludeErrorDetails = true;
options.RequireHttpsMetadata = true;
options.SaveToken = true;
options.Validate(JwtBearerDefaults.AuthenticationScheme);
options.TokenValidationParameters = new TokenValidationParameters()
{
ClockSkew = TimeSpan.FromMinutes(30),
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true,
ValidateIssuerSigningKey = true,
ValidIssuer = jwtAuthSettings.ValidIssuer, //Your issuer
ValidAudience = jwtAuthSettings.ValidAudience,//Your Audience
IssuerSigningKey = jwtAuthSettings.SymmetricSecurityKey, //Your Key
NameClaimType = ClaimTypes.NameIdentifier,
RequireSignedTokens = true,
RequireExpirationTime = true
};
});
answered Nov 23 '18 at 20:45
MuheebMuheeb
965
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53346684%2fdo-i-need-to-validate-jwt-tokens-in-asp-net-core-2-rest-api%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
1
Yes, Asp.Net Core Middleware validates JWT Token. Make sure you are configuring JWT Bearer Options and token validation parameters in order for Asp.Net Core Middleware to validate it.
For example:
services.AddAuthentication(auth =>
{
auth.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
auth.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(options =>
{
options.ClaimsIssuer = jwtAuthSettings.ValidIssuer;//Your issuer
options.IncludeErrorDetails = true;
options.RequireHttpsMetadata = true;
options.SaveToken = true;
options.Validate(JwtBearerDefaults.AuthenticationScheme);
options.TokenValidationParameters = new TokenValidationParameters()
{
ClockSkew = TimeSpan.FromMinutes(30),
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true,
ValidateIssuerSigningKey = true,
ValidIssuer = jwtAuthSettings.ValidIssuer, //Your issuer
ValidAudience = jwtAuthSettings.ValidAudience,//Your Audience
IssuerSigningKey = jwtAuthSettings.SymmetricSecurityKey, //Your Key
NameClaimType = ClaimTypes.NameIdentifier,
RequireSignedTokens = true,
RequireExpirationTime = true
};
});
answered Nov 23 '18 at 20:45
MuheebMuheeb
965
add a comment |
1
Yes, Asp.Net Core Middleware validates JWT Token. Make sure you are configuring JWT Bearer Options and token validation parameters in order for Asp.Net Core Middleware to validate it.
For example:
services.AddAuthentication(auth =>
{
auth.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
auth.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(options =>
{
options.ClaimsIssuer = jwtAuthSettings.ValidIssuer;//Your issuer
options.IncludeErrorDetails = true;
options.RequireHttpsMetadata = true;
options.SaveToken = true;
options.Validate(JwtBearerDefaults.AuthenticationScheme);
options.TokenValidationParameters = new TokenValidationParameters()
{
ClockSkew = TimeSpan.FromMinutes(30),
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true,
ValidateIssuerSigningKey = true,
ValidIssuer = jwtAuthSettings.ValidIssuer, //Your issuer
ValidAudience = jwtAuthSettings.ValidAudience,//Your Audience
IssuerSigningKey = jwtAuthSettings.SymmetricSecurityKey, //Your Key
NameClaimType = ClaimTypes.NameIdentifier,
RequireSignedTokens = true,
RequireExpirationTime = true
};
});
answered Nov 23 '18 at 20:45
MuheebMuheeb
965
add a comment |
1
1
1
Yes, Asp.Net Core Middleware validates JWT Token. Make sure you are configuring JWT Bearer Options and token validation parameters in order for Asp.Net Core Middleware to validate it.
For example:
services.AddAuthentication(auth =>
{
auth.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
auth.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(options =>
{
options.ClaimsIssuer = jwtAuthSettings.ValidIssuer;//Your issuer
options.IncludeErrorDetails = true;
options.RequireHttpsMetadata = true;
options.SaveToken = true;
options.Validate(JwtBearerDefaults.AuthenticationScheme);
options.TokenValidationParameters = new TokenValidationParameters()
{
ClockSkew = TimeSpan.FromMinutes(30),
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true,
ValidateIssuerSigningKey = true,
ValidIssuer = jwtAuthSettings.ValidIssuer, //Your issuer
ValidAudience = jwtAuthSettings.ValidAudience,//Your Audience
IssuerSigningKey = jwtAuthSettings.SymmetricSecurityKey, //Your Key
NameClaimType = ClaimTypes.NameIdentifier,
RequireSignedTokens = true,
RequireExpirationTime = true
};
});
answered Nov 23 '18 at 20:45
MuheebMuheeb
965
Yes, Asp.Net Core Middleware validates JWT Token. Make sure you are configuring JWT Bearer Options and token validation parameters in order for Asp.Net Core Middleware to validate it.
For example:
services.AddAuthentication(auth =>
{
auth.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
auth.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(options =>
{
options.ClaimsIssuer = jwtAuthSettings.ValidIssuer;//Your issuer
options.IncludeErrorDetails = true;
options.RequireHttpsMetadata = true;
options.SaveToken = true;
options.Validate(JwtBearerDefaults.AuthenticationScheme);
options.TokenValidationParameters = new TokenValidationParameters()
{
ClockSkew = TimeSpan.FromMinutes(30),
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true,
ValidateIssuerSigningKey = true,
ValidIssuer = jwtAuthSettings.ValidIssuer, //Your issuer
ValidAudience = jwtAuthSettings.ValidAudience,//Your Audience
IssuerSigningKey = jwtAuthSettings.SymmetricSecurityKey, //Your Key
NameClaimType = ClaimTypes.NameIdentifier,
RequireSignedTokens = true,
RequireExpirationTime = true
};
});
answered Nov 23 '18 at 20:45
MuheebMuheeb
965
answered Nov 23 '18 at 20:45
MuheebMuheeb
965
answered Nov 23 '18 at 20:45
MuheebMuheeb
965
answered Nov 23 '18 at 20:45
MuheebMuheeb
965
965
add a comment |
add a comment |
draft saved
draft discarded
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53346684%2fdo-i-need-to-validate-jwt-tokens-in-asp-net-core-2-rest-api%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
There are always checks to make, one of the must to-dos is to check if the user exists, even if the JWT is valid, that user may be deleted or banned or whatever. About your question on checking the token, well, what could you do if your secret is stolen? there is no way to know if a VALID jwt was forged or not, at the end of the end, it is valid ...
– Melardev
Nov 23 '18 at 19:15
@Melardev. The most importnat matter is the make sure if the JWT signature is valid. Do you know if ASP.NET middleware does that that?
– Allan Xu
Nov 23 '18 at 20:21
as said below, yes, absolutely, it validates the token, and the middleware can also parse some claims available through the jwt payload, such as the roles, read this for the roles related feature jerriepelser.com/blog/using-roles-with-the-jwt-middleware
– Melardev
Nov 23 '18 at 20:49